Adapting to the Security Threat of Climate Change

Climate change is a generational risk with profound implications to alter not just our physical world but our digital world, too. While not traditionally associated as a cybersecurity risk, the accelerating frequency, severity, and significance of climate change and extreme weather have left a devastating toll on individuals, businesses, and the critical infrastructure connecting the world. With staff facing reduced capacity and readiness and impaired IT and security controls, hackers have a larger attack surface to target.

Facing this growing threat, IT and cybersecurity teams should work with leaders across their organization to develop a robust business continuity and disaster recovery (BC/DR) plan that includes climate and extreme weather-related events. While no silver bullet, having a documented set of procedures and actions can help turn a cataclysmic business event into just a minor slowdown.

Factoring in Economic, Social Challenges
Over the last three decades, hurricanes, wildfires, earthquakes, and other extreme weather events have exposed the fragility of entire communities. We are constantly reminded of communities at risk of being wiped out or experiencing power outages that leave businesses, governments, and individuals in the dark for days, weeks, or longer.

With the growing reliance on digital technology and the innate dependency on suddenly fragile data centers and power grids, strategies for managing these climate risks must be part of any organization's business continuity and disaster recovery (BC/DR) plan. If organizations don't plan for these risks, the economic and social costs of inaction could be overwhelming.

On top of the weaknesses and holes that may arise in security measures, the indirect social and financial costs of climate change should also factor into IT and cybersecurity leaders' decision-making. The International Organization for Migration estimates there could be more than 200 million climate refugees by 2050 and rising inequality could force people to turn to cybercrime as a means to survive.

The rate of cyberattacks against hospitals, schools, local governments, and businesses has risen steadily, and we're already beginning to see phishing scams designed to take advantage of people's anxiety around the effects of climate change. And as resource competition increases between nations, cyber warfare is a threat that cybersecurity professionals should consider, including attacks that can bring about the same types of infrastructure problems that follow climate disasters.

In 2019, the US power grid was under a cyberattack carried out using known firewall vulnerability. And just this year, in what unraveled as nation-state attacks, SolarWinds and Microsoft suffered breaches through the manipulation of exploits in their software development processes. These supply-chain attacks effectively allowed attackers to move upstream to increasingly more valuable targets, including Fortune 500 companies and US federal agencies that were spied on and had information stolen.

While the immediate effects are still unclear, it's clear to see how devastating an attack of this scale targeting power grids or data centers could be. Not only does cybersecurity play a critical role in providing digital safeguards after a climate event, but it is also pivotal in protecting the services, resources, and systems that keep society running.

Adapting BC/DRs to Recent Climate Threats
During the recent winter storms, my family joined more than 4 million other Houstonians as we lost power, running water, and cell service for days. Without the means of doing my job, and extremely intermittent cellular service, I had to rely on our organization's leaders along with my team to continue vital business functions like security and cloud management. The entire experience highlighted the need for alternative modes of communication and documenting soft-touch processes, two key areas we had identified as critical to our BC/DR plan and were in the process of implementing.

Smaller organizations and startups just getting started may find setting up a BC/DR plan as challenging early on as they work to describe, document, and verify critical procedures. For these organizations, many processes develop organically, particularly around communication and responsibilities, and can be difficult to wrap into a larger executable format. But as companies mature, it becomes increasingly important to have documentation of the clear steps and actions to be taken in order to provide business continuity.

Climate and extreme weather-related downtime impacts more and more businesses and are expected to cost the global economy $210 billion annually. Adapting BC/DR plans to this new reality means accounting for the myriad social, economic, and technological challenges businesses will face because of climate change. Beyond just documenting roles, processes, and operations, these BC/DR plans should account for what to do in the event that an office loses power, what to do if an organization's on-premises or cloud-hosted data centers are damaged, and how to respond if the organization is under cyberattack.

We're already experiencing the effects of climate change, but we still don't know the true impact it will have, so it's the job of IT and cybersecurity leaders to plan for the worst and adapt to the new risks. A layered approach that includes cybersecurity best practices such as mandating multi- and dual-factor authentication across the board, increasing employee security training with extra focus on social engineering attacks such as phishing scams, and implementing security tools and automation to increase controls provides a strong start. From there, stacking on top of this a living BC/DR plan that maps out and factors in the hazards of climate-based risks as well as those with business-halting ransomware attacks will keep businesses agile while responding to threats.